Default Security Policy

Machine policy is set by default to the values shown in the following tables. Because the policy levels are intersected when determining the allowed permission set, the machine policy settings actually determine the default security policy. Note that these tables represent the named permission sets and permissions used by the default policy settings and not all the named permission sets and permissions available to customize security policy.

The following table shows the default code groups for machine policy and the named permissions sets they receive by default. For example, code that originates from the local computer is assigned to the My Computer Zone and receives full trust by default.

Code group Named permission set received by default
  • My Computer Zone (code from the local computer)
  • Microsoft Strong Name (code signed with the Microsoft Strong Name)
  • ECMA Strong Name (code signed with the ECMA strong name)
Full Trust
  • Local Intranet Zone (Code from a local network)
Local Intranet
  • Internet Zone (Code from the internet)
  • Trusted Zone (Code from trusted sites in Internet Explorer)
Internet
  • All Code (All managed code)
  • Restricted Zone (Code from restricted sites)
Nothing

Note   In .NET Framework 1.0 Service Pack 1 and Service Pack 2, the Internet Zone Code Group receives the Nothing named permission set. In all other releases of the .NET Framework, the Internet Zone code group receives the Internet named permissions set, as described in the preceding table.

Although the All Code group receives the Nothing permission set by default, this does not mean that none of the code has permissions, because matching code groups are combined (called a union) to calculate the allowed permission set.

The following table shows the individual permissions that constitute the default permission sets. The column on the left lists individual permission objects, while the columns on the right represent the configuration of those objects in the permission sets. For example, code that originates from the Local Intranet Zone receives the Local Intranet Permission Set. This table shows that the Local Intranet Permission Set consists of unrestricted DNSPermission, unrestricted FileDialogPermission, and so on. Note that code from the Internet Zone does not receive the Internet Permission Set by default; instead it receives the Nothing Permission Set.

Permission Full Trust Permission Set

(Unrestricted access to all permissions including those not listed)

Nothing Permission Set

(No permissions, no right to execute)

Local Intranet Permission Set Internet Permission Set
DnsPermission Unrestricted No Access Unrestricted No Access
EnvironmentPermission Unrestricted No Access Read Username (environmental variable) No Access
EventLogPermission Unrestricted No Access Instrument No Access
FileDialogPermission Unrestricted No Access Unrestricted Open
IsolatedStoragePermission Unrestricted No Access AssemblyIsolationByUser

Disk Quota of 9223372036854775807

DomainIsolationByUser

Disk Quota of 10240

PrintingPermission Unrestricted No Access DefaultPrinting SafePriniting
ReflectionPermission Unrestricted No Access ReflectionEmit No Access
SecurityPermission Unrestricted No Access Execution

Assertion

Execution
UIPermission Unrestricted No Access Unrestricted SafeTopLevelWindows

OwnClipboard

Although the default security policy is suitable for many situations, administrators can modify or customize security policy to tailor it to the specific needs of their organizations. For details, see Administering Security Policy.

Note that code is subject to the additional restrictions associated with the inherent LinkDemand for full trust automatically performed by assemblies placed in the global assembly cache. Unless the AllowPartiallyTrustedCallersAttribute is applied to an assembly in the global assembly cache, all code that does not receive the Full Trust Permission Set will generate a SecurityException when it attempts to link to the assembly. For more information and a list of assemblies that have the AllowPartiallyTrustedCallersAttribute, see Using Libraries from Partially Trusted Code.

See Also

Security Policy Model | Security Policy Management | Using Libraries from Partially Trusted Code